Security Operations

Security Operations

What Is a Security
Operations Center (SOC)?
5 min. read

A security operations center (SOC) is a centralized

unit responsible for monitoring and managing an
organization's security posture. It is typically
staffed by security professionals who are
responsible for identifying, responding to and
mitigating security threats. In short, a SOC team is
responsible for making sure an organization is
operating securely at all times.

What Does a SOC Do?

Security Operations Centers, or SOCs, were
created to facilitate collaboration among security
personnel. They streamline the security incident
handling process as well as help analysts triage
and resolve security incidents more efficiently and
effectively. The SOC’s goal is to gain a complete
view of the business’ threat landscape, including
not only the various types of endpoints, servers
and software on-premises but also third-party
services and traffic flowing between these assets.

Key Functions of a SOC

SOC Functions

Cybersecurity incidents can usually be identified

and responded to by SOC staff who possess all the
necessary skills. The team also collaborates with
other departments or teams to share information
with relevant stakeholders regarding incidents. As
a general rule, security operations centers operate
24/7, with employees working in shifts to
mitigate threats and manage log activity. Third-
party providers are sometimes hired to provide
SOC services for organizations.

The key functions of a SOC include:

Monitoring and managing an organization's

security posture.
Developing and implementing security
policies and procedures.
Providing security awareness training to
employees.
Responding to security incidents.
Analyzing logs, network traffic, and other
data sources to identify potential threats and
vulnerabilities.
Performing vulnerability assessments.
Providing threat intelligence reports.
Designing and implementing security
solutions.

The SOC team also provides incident response

services, such as forensic analysis, malware
analysis and vulnerability assessment.
Additionally, they may provide threat intelligence
services, such as threat intelligence reports and
threat hunting.

Security incident handling requires these key

functions, which security operations teams
commonly deliver using a tiered structure that
accounts for the experience levels of their
analysts:

Tier 1 – Triage
Triage is the first level of the SOC. Tier 1 personnel
are responsible for triaging incoming security
incidents and determining the severity of the
incident. This includes identifying the source of
the incident, determining the scope of the
incident and assessing the impact of the incident.

Tier 1 personnel are also responsible for providing

initial response and containment measures, as
well as escalating incidents to higher tiers if
necessary. This is where security analysts
typically spend most of their time.

Tier 1 analysts are typically the least experienced

analysts, and their primary function is to monitor
event logs for suspicious activity. When they feel
something needs further investigation, they
gather as much information as possible and
escalate the incident to Tier 2.

Tier 2 – Investigation
Investigation is the second level of the SOC. Tier 2
personnel are responsible for investigating
security incidents and determining the root cause
of the incident. This includes analyzing logs,
network traffic and other data sources to identify
the source of the incident. Tier 2 personnel are
also responsible for providing detailed incident
reports and recommendations for remediation.

Tier 3 – Threat Hunting

Threat Hunting is the third level of the SOC. Tier 3
personnel are responsible for proactively hunting
for threats and vulnerabilities in an organization's
environment. This includes analyzing logs,
network traffic and other data sources to identify
potential threats and vulnerabilities.

Tier 3 personnel are also responsible for providing

detailed threat intelligence reports and
recommendations for remediation. The most
experienced analysts support complex incident
response and spend any remaining time looking
through forensic and telemetry data for threats
that detection software may not have identified as
suspicious. The average company spends the least
time on threat hunting activities, as Tier 1 and
Tier 2 consume so many analyst resources.

How Is a SOC Structured?

For most organizations, cybersecurity has evolved
into a major priority from its roots as a part-time
function of the IT team. Some security operations
teams still function as part of IT, whereas others
are separated into their own organization.

The SOC architecture is the overall design and

structure of a SOC. It typically consists of four
main components:

1. The SOC monitors and manages an

organization’s security posture.
2. The security operations manager (SOM)
manages the day-to-day operations of the
SOC.
3. Security analysts monitor and analyze logs,
network traffic, and other data sources to
identify potential threats and vulnerabilities.
4. Security engineers/architects design and
implement security solutions to protect an
organization’s environment.

SOCs may operate as part of an infrastructure and

operations team, as part of the security group, as
part of the network operations center (NOC),
directly under the CIO or CISO, or as an
outsourced function (wholly or in part).

SOC Hub-and-Spoke Architecture

The SOC hub-and-spoke architecture is a model
for organizing a SOC. In this model, the SOC is
organized into a central hub and multiple spokes.
The hub is responsible for managing the overall
security posture of the organization, while the
spokes are responsible for monitoring and
managing specific areas of the organization's
security posture.

This model allows for greater flexibility and

scalability, as the organization can add or remove
spokes as needed. Additionally, the hub can
provide centralized oversight and coordination of
the organization's security operations.

Key SOC Roles and

Responsibilities
SOC Roles

The security operations staffing and

organizational structure of a SOC typically consist
of a security operations manager, security
analysts, incident responders, security
engineers/architects and security investigators:

1. SOC manager: Responsible for managing the

day-to-day operations of the SOC, including
developing and implementing security
policies and procedures, and providing
security awareness training to employees.
2. Advanced security analyst: Responsible for
proactively hunting for threats and
vulnerabilities in an organization's
environment. This includes analyzing logs,
network traffic, and other data sources to
identify potential threats and vulnerabilities.
3. Incident responder: Responsible for
responding to security incidents, including
identifying the source of the incident,
determining the scope of the incident and
assessing the impact of the incident.
4. Security engineer/architect: Responsible for
designing and implementing security
solutions to protect an organization's
environment. This includes designing and
implementing network security solutions,
such as firewalls, intrusion detection
systems and antivirus software.
5. Security investigator: Responsible for
investigating security incidents and
determining the root cause of the incident.
This includes analyzing logs, network traffic
and other data sources to identify the source
of the incident.

Find out more about SOC Roles and Responsibilities,

the key to your security operations success.

SOC as a Service (SOCaaS)

SOCaaS is a security model that allows a third-
party vendor to operate and maintain a fully
managed SOC on a subscription basis. This service
includes all of the security functions performed by
a traditional, in-house SOC, including network
monitoring; log management; threat detection
and intelligence; incident investigation and
response; reporting; and risk and compliance. The
vendor also assumes responsibility for all people,
processes and technologies needed to enable
those services and provide 24/7 support.

Find out more about the subscription-based SOC-as-

a-service delivery model.

SIEM Solutions in a SOC

Security information and event management
(SIEM) solutions are a type of security solution
that helps businesses monitor and analyze their
security data in real time. SIEM solutions collect
data from multiple sources, including network
devices, applications and user activity, and use
analytics to detect potential threats.

SIEM solutions allow businesses to respond

quickly to security incidents and take corrective
action. For many SOCs, this is the core
monitoring, detection and response technology
utilized to monitor and aggregate alerts and
telemetry from software and hardware on the
network and analyze the data for potential
threats.

Explore how SIEM solutions intertwine with SOC

teams to identify potential security issues.

Security Operations Center Best

Practices
The SOC team's primary focus is to implement the
security strategy rather than develop it. This
includes deploying protective measures in
response to incidents and analyzing the
aftermath. SOC teams use technology for data
collection, endpoint monitoring and vulnerability
detection. They also work to ensure compliance
with regulations and protect sensitive data.

Before any work can begin, there needs to be a

well-defined security strategy that is aligned with
business goals. Once that's in place, the necessary
infrastructure must be established and
maintained. This requires a wide range of tools,
features and functions.

The following are the best SOC practices for

establishing a secure enterprise:

1. Establish a SOC: Establish a centralized unit

responsible for monitoring and managing an
organization's security posture.
2. Develop security policies and procedures:
Develop and implement security policies and
procedures to ensure that the organization
complies with applicable laws and
regulations.
3. Implement security solutions: Implement
security solutions, such as firewalls,
intrusion detection systems and antivirus
software, to protect an organization's
environment.
4. Monitor and analyze logs: Monitor and
analyze logs, network traffic and other data
sources to identify potential threats and
vulnerabilities.
5. Provide security awareness training: Provide
security awareness training to employees to
ensure that they are aware of the
organization's security policies and
procedures.
6. Perform vulnerability assessments: Perform
vulnerability assessments to identify
potential weaknesses in an organization's
environment.
7. Respond to security incidents: Respond to
security incidents in a timely manner to
minimize the impact of the incident.

Which Tools Are Used in a SOC?

SOC Actions

SOCs use various tools for prevention, event

logging, automation, detection, investigation,
orchestration and response. Many SOC teams have
multiple sets of siloed tools for different parts of
their infrastructure. Research by analyst firms
such as Ovum and ESG has found that the majority
of enterprises use more than 25 separate tools in
their SOCs. These tools might include the
following:

SIEM
Network Intrusion Detection System (NIDS)
Network Intrusion Prevention System (NIPS)
Security Orchestration, Automation and
Response (SOAR)
Security Analytics Platforms
Endpoint Detection and Response (EDR)
Vulnerability Management Solutions
Data Loss Prevention (DLP)
Identity and Access Management (IAM)
Firewalls

XDR is a new class of detection and response tools

that integrates and correlates data from the
endpoint, the network and the cloud. XDR
replaces several key tools security operations
teams rely on and is designed to increase security
visibility, efficiency and efficacy. For more on how
XDR optimizes security operations, check out
Cortex XDR.

Security Operations Center

(SOC) FAQs
Q: Why is a SOC important?

A: Due to the necessity to prevent major cyber

incidents, reduce threats, and the subsequent
adoption of centralized security operations,
security operations centers can provide a
comprehensive approach to detecting, preventing
and mitigating attacks. Having a dedicated SOC
can provide continuous protection and
uninterrupted monitoring to detect anomalous
activity. A SOC can also provide proactive threat
prevention and hunting via analysis and
modeling. Having a diverse security team beyond
the four analyst tiers (Tier 1: Triage Specialist;
Tier 2: Incident Responder; Tier 3: Threat Hunter;
Tier 4: SOC Manager) can provide broader and
deeper coverage. Those roles include titles such as
vulnerability managers, threat intelligence,
malware, and forensic analysts.

“The Security Operations Center (SOC) represents

an organizational aspect of an enterprise’s
security strategy. It combines processes,
technologies, and people to manage and enhance
an organization’s overall security posture. This
goal can usually not be accomplished by a single
entity or system but rather by a complex
structure. It creates situational awareness,
mitigates the exposed risks, and helps to fulfill
regulatory requirements. Additionally, a SOC
provides governance and compliance as a
framework in which people operate and to which
processes and technologies are tailored.” –
Security Operations Center: A Systematic Study
and Open Challenges

Q: How can I improve my SOC?

A: Organizations need to take a page out of

modern attack playbooks wherein well-funded
threat actors are investing in new tools like
machine learning, automation and artificial
intelligence. Challenges from legacy SOC
environments can include:

Lack of visibility and context.

Increased complexity of investigations.
Alert fatigue and “noise” from a high volume
of low-fidelity alerts generated by security
controls.
Lack of interoperability of systems.
Lack of automation and orchestration.
Inability to collect, process and contextualize
threat intelligence data.

Investing in solutions that can consolidate a

myriad of disjointed, siloed tools, improve MTTR
and MTTI and alleviate analyst burnout is the
proverbial path forward to stay ahead of today’s
threats.

Q: How is a SOC related to SIEM?

A: SOCs commonly receive a barrage of security

alerts in a single day, many of which are low-
fidelity alerts, which overwhelm security analysts
with false positives (i.e., an alert that incorrectly
indicates that malicious activity is occurring).
Consequently, the number of alerts is far more
than most security teams are capable of
effectively managing, with many going
uninvestigated. A SIEM solution is intended to
take some of the burdens from SOC analysts.
Although a SIEM is not a requirement to have a
SOC, the two work together to protect internal
resources.

RELATED CONTENT

What Is SOC as a Service?

This new model of security operations can help teams of any size
bolster their security coverage.

Top Security Orchestration Use Cases

This paper covers use cases where security orchestration’s

capabilities can help simplify, automate, and improve efficiencies
of incident response and security operations.

SOC Modernization and the Role of XDR

This report by ESG surveyed 376 IT and cybersecurity

professionals at organizations in the U.S. and Canada personally
responsible for evaluating, purchasing, and utilizing threat d...

How to Plan for Tomorrow’s SOC, Today

This playbook outlines four immediate steps you can take to

improve SOC efficiencies and three security technologies that are
key to future-proofing your SOC.

Get the latest news,

invites to events, and
threat alerts

Your email

Sign up

By submitting this form, you agree to our Terms of

Use and acknowledge our Privacy Statement.

EN

Popular Resources

Blog

Communities

Content Library

Cyberpedia

Event Center

Investors

Products A-Z

Tech Docs

Unit 42

Sitemap

Legal Notices

Privacy

Trust Center

Terms of Use

Documents

Popular Links

About Us

Customers

Careers

Contact Us

Manage Email Preferences

Newsroom

Product Certifications

Report a Vulnerability

Create an account or login

Copyright © 2023 Palo Alto Networks. All rights reserved